SILVERILE DATA PROCESSING ADDENDUM (DPA)

Introduction & Scope
Definitions & Roles
Scope of Data Processing
Processing Instructions & Lawfulness
Sub-processors & Sub-Contractors
Data Subject Rights & Assistance
Security & Technical Measures
Data Breach & Incident Response
Data Transfers & International Compliance
Data Return & Deletion
Audit, Inspection & Cooperation
Term & Termination
Contact Information
Schedules

1. INTRODUCTION & SCOPE

This Data Processing Addendum ("DPA") supplements and is incorporated by reference into the Silverile Customer Agreement ("Master Agreement") available at silverile.com/legal/customer-agreement.

This DPA applies where Silverile processes personal data on behalf of Customer in connection with providing Silverile's Products and Services. In such cases:

(a) Customer is the "Data Controller" (determines purposes and means of processing);
(b) Silverile is the "Data Processor" (processes data on Customer's instructions);
(c) This DPA governs the processing relationship.

Applicability: This DPA applies to the extent that Silverile processes personal data subject to:

(a) GDPR (EU/EEA data protection regulation);
(b) UK GDPR (UK data protection post-Brexit);
(c) Digital Personal Data Protection (DPDP) Act, 2023 (India);
(d) California Consumer Privacy Act (CCPA/CPRA) (California, USA).

In the event of conflict between this DPA and the Master Agreement, this DPA governs with respect to data processing.

In the event of a conflict between this Data Processing Addendum and the EU Standard Contractual Clauses (Regulation (EU) 2021/914), the EU Standard Contractual Clauses shall prevail.

2. DEFINITIONS & ROLES

2.1 Key Definitions

"Applicable Data Protection Laws" means GDPR, UK GDPR, DPDP Act, CCPA/CPRA, and any successor or related laws.

"Data" or "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1), UK GDPR, or DPDP Act Section 2(f).

"Data Controller" or "Controller" means Customer, which determines the purposes and means of processing personal data. Customer is the controller for:

Customer's own personal data (e.g., account credentials, profile info)
Customer Data uploaded by Customers

"Data Processor" or "Processor" means Silverile, which processes personal data on Customer's behalf and in accordance with Customer's documented instructions.

"Data Subject" means the individual to whom personal data relates (e.g., Customer's employee, client, user).

"Processing" or "Process" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, transmission, or deletion.

"Sub-processor" means a third-party entity engaged by Silverile to process personal data on Silverile's behalf (with Customer's consent).

"Incident" means an actual or suspected breach of security or unauthorized processing of personal data.

2.2 Roles & Responsibilities

Role	Entity	Responsibility
Data Controller	Customer	Determine purposes/means; obtain legal basis for processing; honor Data Subject rights; notify authorities
Data Processor	Silverile Inc.	Process only per Customer instructions; ensure security; assist with Data Subject rights; notify of incidents
Sub-processors	Third-party vendors (AWS, Stripe, etc.)	Process data per Silverile's instructions; comply with processor obligations

3. SCOPE OF DATA PROCESSING

3.1 Types of Data Processed

Silverile processes the following categories of personal data:

Data Category	Examples	Source
Identification Data	Name, email, phone, job title	Customer registration
Account Data	Username, password hash, organization	Customer input
Usage Data	Actions, clicks, features used, timestamps	Automatic collection
Device Data	IP address, browser, device type, OS	Automatic collection
Communication Data	Support tickets, emails, chat messages	Customer submissions
Payment Data	Billing address, credit card (tokenized)	Payment processor
Project Data	Projects, tasks, documents, files	Customer upload

Note: Customer Data is content that Customer uploads (projects, documents, files). Processing of Customer Data is governed by this DPA where it contains personal data.

3.2 Duration & Frequency of Processing

(a) Duration: From Account creation through Account termination + 30-day retention period.
(b) Frequency: Continuous during Account active status.
(c) Scale: Varies per Customer (hundreds to millions of records).

3.3 Purpose of Processing

Silverile processes personal data solely to:

(a) Provide the Silverile Products and Services;
(b) Manage Customer's Account (authentication, support, billing);
(c) Comply with legal obligations;
(d) Prevent fraud and maintain security;
(e) Improve and analyze the Services (with anonymization/aggregation).

Processing is limited to these purposes. Silverile will not use personal data for marketing, profiling, or other secondary purposes without explicit Customer consent.

3.4 Processing Instructions

Silverile processes personal data exclusively in accordance with:

(a) The Master Agreement and this DPA;
(b) Customer's documented written instructions;
(c) Applicable Data Protection Laws.

Change of Instructions: If Customer wishes to change processing instructions, Customer must submit a written request to legal@silverile.com. Silverile will respond within 10 business days with feasibility and any additional cost.

4. PROCESSING INSTRUCTIONS & LAWFULNESS

4.1 Legal Basis for Processing

Customer is responsible for establishing a legal basis for processing under Applicable Data Protection Laws:

Legal Basis	Silverile Role
Consent	Customer obtains and documents consent from Data Subjects
Contract	Silverile provides Services per Customer's contract with Data Subjects
Legal Obligation	Customer determines if legal obligation applies
Legitimate Interest	Customer assesses legitimate interests and balances
Vital Interest	Customer determines if vital interests justify processing

Silverile relies on Customer's representations that a valid legal basis exists.

4.2 Lawfulness Representations

Customer represents and warrants that:

(a) Customer has a valid legal basis for collecting and providing personal data to Silverile;
(b) Customer has obtained required consents (e.g., GDPR Article 13/14, DPDP Act Section 8);
(c) Customer has provided required privacy notices to Data Subjects;
(d) Customer's use of Silverile complies with Applicable Data Protection Laws;
(e) Customer has the authority to provide personal data to Silverile.

Silverile relies on these representations and is not liable for Customer's failure to comply with Data Protection Laws.

4.3 Prohibited Data

Customer shall not provide to Silverile:

(a) Personal data of children under 13 (or higher age in jurisdictions) without parental/guardian consent;
(b) Sensitive personal data (racial origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, sex life data) without:
- Explicit consent, or
- Legal exemption, or
- Supplementary safeguards (encryption, access restriction);
(c) Data requiring special compliance (HIPAA health data, PCI payment card data, government ID numbers) without a specific compliance agreement;
(d) Data of individuals who have withdrawn consent (Silverile will delete within 10 days of notice).

5. SUB-PROCESSORS & SUB-CONTRACTORS

5.1 Sub-processor List

Silverile engages the following sub-processors to assist in providing the Services:

Sub-processor	Location	Purpose	Category
Amazon Web Services (AWS)	USA (US-East, US-West); EU (Frankfurt, Ireland)	Cloud hosting, data storage, backup	Infrastructure
Stripe	USA	Payment processing	Payment
GitHub (optional, if integrated)	USA	Code integrations	Integration
8X8 (optional, if integrated)	USA	Conference	Integration

Current sub-processor list: silverile.com/

AWS Sub-processors: AWS may engage its own sub-processors per AWS DPA. Customer may review AWS's sub-processor list at aws.amazon.com/service-terms/.

5.2 Sub-processor Authorization & Consent

(a) Implied Consent: By accepting this DPA, Customer consents to Silverile using the sub-processors listed above.
(b) Future Sub-processors: Silverile will provide 30 days' notice before engaging a new sub-processor. Customer may object within 15 days by contacting legal@silverile.com.
(c) Objection Rights: If Customer reasonably objects to a new sub-processor, Silverile will:
- Work with Customer to find alternative solutions, or
- Allow Customer to terminate the affected Services without penalty if no alternative is acceptable.

5.3 Sub-processor Contracts

Silverile ensures all sub-processors are bound by:

(a) Written contracts requiring equivalent data protection obligations;
(b) Clauses mandating confidentiality and security;
(c) Clauses prohibiting further sub-processing without approval;
(d) Clauses requiring assistance with Data Subject rights and incident response;
(e) Audit rights for Silverile and, indirectly, for Customer.

Customer may object to a new subprocessor on reasonable data protection grounds by providing written notice within a reasonable period after being informed of such subprocessor.

Copies of sub-processor contracts are available upon request to legal@silverile.com.

6. DATA SUBJECT RIGHTS & ASSISTANCE

6.1 Data Subject Rights

Data Subjects have the following rights under Applicable Data Protection Laws:

GDPR & UK GDPR Articles 15-22:

(a) Right of access (Article 15)
(b) Right to rectification (Article 16)
(c) Right to erasure (Article 17)
(d) Right to restrict processing (Article 18)
(e) Right to data portability (Article 20)
(f) Right to object (Article 21)
(g) Rights related to automated decision-making (Article 22)

DPDP Act Sections 17-22:

(a) Right to access personal data (Section 17)
(b) Right to correction/completion (Section 18)
(c) Right to deletion/erasure (Section 19)
(d) Right to nomination (Section 20)
(e) Right to grievance redressal (Section 21)
(f) Right to opt-out of profiling (Section 22)

CCPA/CPRA:

(a) Right to know
(b) Right to delete
(c) Right to correct
(d) Right to opt-out of "sale" or sharing
(e) Right to limit use
(f) Right to non-discrimination

6.2 Customer's Responsibility

Customer is responsible for:

(a) Responding to Data Subject requests (access, correction, deletion);
(b) Honoring Data Subject rights within legal timeframes;
(c) Informing Data Subjects of their rights (via privacy notices);
(d) Lodging complaints with data protection authorities if Customer believes processing is unlawful.

6.3 Silverile's Assistance

Silverile will assist Customer by:

(a) Access Requests: Providing Customer with a data export containing all personal data Silverile holds for the Data Subject within 10 business days of Customer's request.
(b) Rectification Requests: Allowing Customer to correct inaccurate personal data in the Products (Customer is responsible for requesting corrections).
(c) Deletion Requests: Upon Customer's written request, Silverile will delete personal data within 30 days (subject to legal retention obligations and backup retention periods).
(d) Portability Requests: Exporting personal data in a structured, commonly used, machine-readable format (CSV, JSON) within 15 business days.
(e) Profiling Objections: Disabling automated decision-making or profiling for specific Data Subjects upon request.

6.4 Response Timelines

Request Type	Response Time
Access request	10 business days
Rectification	5 business days
Deletion	30 days (+ backup retention up to 90 days)
Portability	15 business days
Profiling opt-out	5 business days

7. SECURITY & TECHNICAL MEASURES

7.1 Security Obligations

Silverile implements technical and organizational measures to protect personal data:

Technical Measures:

(a) Encryption at Rest: AES-256 encryption for all data stored in databases;
(b) Encryption in Transit: TLS 1.2+ for all data transmission (HTTPS);
(c) Access Controls: Role-based access control (RBAC); principle of least privilege;
(d) Authentication: Multi-factor authentication (MFA) available for users; API tokens for integrations;
(e) Logging: Audit logs of all access and modifications (6-month minimum retention; Enterprise: 2 years);
(f) Monitoring: Automated threat detection; anomaly detection; intrusion prevention;
(g) Vulnerability Management: Quarterly penetration testing; monthly vulnerability scans; patch management;
(h) Firewall & Network: Web application firewall (WAF); DDoS protection; network segmentation.

Organizational Measures:

(a) Employee Training: Regular data protection and security training for all employees;
(b) Background Checks: Background screening for employees with data access;
(c) Confidentiality Agreements: All employees sign confidentiality/non-disclosure agreements;
(d) Data Protection Policy: Written data protection policy and incident response plan;
(e) Third-Party Vetting: Sub-processors are assessed for adequate security before engagement;
(f) Access Limitation: Access to personal data limited to employees with business need;
(g) Incident Response: 24-hour incident response team; documented incident procedures.

7.2 Security Standards & Certifications

Silverile maintains the following certifications:

(a) SOC 2 Type II: Annual third-party audit confirming security, availability, and processing integrity controls.
(b) ISO 27001: Information security management system certification (in progress; target 2026).
(c) GDPR Compliance: Standard Contractual Clauses (SCCs) and technical measures per GDPR Articles 32-34.
(d) DPDP Act Compliance: Security measures per DPDP Act Schedule 1 (encryption, access controls, audit logs).

Audit reports and certifications are available upon request to legal@silverile.com.

7.3 Data Minimization

Silverile processes only personal data necessary to provide the Services:

(a) We do not collect personal data beyond what is required for account management, billing, and service delivery;
(b) Customers should not upload unnecessary personal data (e.g., government ID numbers, biometric data);
(c) Optional personal data (phone number, profile photo) may be omitted without affecting core service functionality.

7.4 Pseudonymization & Anonymization

(a) Usage Analytics: Silverile anonymizes usage data to create aggregate reports and insights (e.g., "X% of projects have Y feature enabled").
(b) Opt-Out: Customers may opt out of analytics collection by contacting legal@silverile.com.
(c) De-identification: Once data is anonymized, it is no longer personal data and is outside this DPA's scope.

8. DATA BREACH & INCIDENT RESPONSE

8.1 Breach Definition

A "Data Breach" means an Incident involving actual or suspected unauthorized access, disclosure, alteration, or destruction of personal data held by Silverile.

8.2 Breach Notification Obligations

Silverile will notify Customer of a suspected or confirmed Data Breach within 72 hours (or as soon as practicable) by email to the Account Administrator's registered email address.

Notification will include:

(a) A description of the Breach;
(b) Types and approximate number of Data Subjects affected;
(c) Likely consequences of the Breach;
(d) Measures Silverile has taken or will take to address the Breach;
(e) Silverile's contact person for further inquiries;
(f) Preliminary findings of the investigation (if available).

8.3 Customer Responsibilities

Upon receiving notice of a Data Breach, Customer is responsible for:

(a) Assessing whether the Breach constitutes a "personal data breach" under Applicable Data Protection Laws;
(b) Notifying Data Subjects if required by law (within specified timeframes, e.g., GDPR: 30 days where no low-risk mitigation exists);
(c) Notifying the relevant data protection authority if required;
(d) Conducting or commissioning a Breach assessment;
(e) Implementing remedial measures to prevent recurrence.

Silverile will cooperate with Customer's Breach assessment and remediation efforts at no additional cost.

8.4 Incident Investigation & Cooperation

(a) Investigation: Silverile will investigate the Breach and document findings (including root cause, scope, impact);
(b) Cooperation: Silverile will provide Customer reasonable assistance, including log access, timeline reconstruction, and technical analysis;
(c) Law Enforcement: Silverile may notify law enforcement if the Breach involves criminal conduct;
(d) Transparency: Silverile will provide a transparency report to Customer upon investigation completion.

8.5 Liability for Breaches

Silverile's liability for Breaches is subject to Section 8 (Limitation of Liability & Indemnification) of the Master Agreement. Silverile is not liable for Breaches caused by:

(a) Customer's negligence or misuse of the Products;
(b) Customer's failure to implement security measures;
(c) Third-party attacks or Force Majeure Events;
(d) Unauthorized access due to Customer-shared credentials.

9. DATA TRANSFERS & INTERNATIONAL COMPLIANCE

9.1 Data Transfer Mechanisms

Silverile transfers personal data to the USA for cloud hosting, processing, and service delivery. Transfers are authorized under:

(a) Standard Contractual Clauses (SCCs): Silverile has incorporated SCCs (EU Standard Contractual Clauses, UK SCCs) into contracts with sub-processors (e.g., AWS).
(b) Customer Consent: Customer consents to transfers to the USA and third-country sub-processors by accepting this DPA.
(c) Data Transfer Impact Assessment (DTIA): Silverile has conducted a DTIA for USA transfers and concluded adequate safeguards exist (encryption, contractual protections).

9.2 Supplementary Safeguards

In addition to SCCs, Silverile implements:

(a) Encryption: All data is encrypted in transit and at rest, limiting exposure to US surveillance.
(b) Data Minimization: Only necessary personal data is transferred.
(c) Subprocessor Restrictions: Sub-processors (e.g., AWS) are contractually restricted from mass surveillance or unauthorized government access.
(d) Transparency: Silverile publishes Government Request Guidelines (silverile.com/) explaining data disclosure procedures.

9.3 GDPR Derogations

Under GDPR Article 49, Silverile may rely on the following derogations for emergency data transfers:

(a) Explicit Consent: Customer provides explicit consent to USA transfers (provided above).
(b) Contract Performance: Transfer is necessary to perform the Services (cloud hosting, payment processing).
(c) Public Interest: Transfer is necessary for public interest reasons (security, fraud prevention).

9.4 Data Return & Deletion Upon Termination

Upon termination of this DPA:

(a) Return: Customer may request that Silverile return or certify deletion of all personal data within 30 days.
(b) Backup Retention: Silverile may retain backups for up to 90 days for disaster recovery (after which data is securely deleted).
(c) Legal Retention: Silverile may retain data where required by law (tax records, audit requirements) for the duration required.

Silverile represents that it has no reason to believe that the laws and practices of any third country applicable to the processing of Personal Data prevent it from fulfilling its obligations under the EU Standard Contractual Clauses, and Silverile will notify Customer if it becomes aware of any such legal requirement.

10. DATA RETURN & DELETION

10.1 Data Deletion Schedule

Upon Account termination, Silverile will:

(a) Immediate Deletion: Account access is revoked; Customer data is marked for deletion.
(b) 30-Day Deletion: Personal data is securely deleted from primary databases within 30 days.
(c) 90-Day Backup Purge: Automated backup copies are retained for up to 90 days (for disaster recovery); deleted thereafter.
(d) Legal Retention: Silverile retains data where legally required (tax records, court orders) for the duration specified by law.

10.2 Data Export & Portability

Before termination, Customer may:

(a) Export all Customer data (projects, tasks, documents) via the Products export feature;
(b) Request a full personal data export (in CSV/JSON format) within 15 business days of request;
(c) Import data into alternative tools.

10.3 Verification of Deletion

Upon request, Silverile will provide written verification that personal data has been deleted, signed by an authorized representative.

11. AUDIT, INSPECTION & COOPERATION

11.1 Audit Rights

Customer may audit Silverile's data processing and security practices by:

(a) Self-Audit: Accessing usage logs, audit trails, and security settings within the Products;
(b) SOC 2 Report: Requesting Silverile's annual SOC 2 Type II audit report (confidential; may include NDA);
(c) Compliance Questionnaires: Submitting security/compliance questionnaires (Silverile will respond within 15 business days);
(d) Third-Party Audit: Engaging an independent auditor (at Customer's expense) to conduct a security assessment, subject to:
- 30 days' written notice
- Reasonable frequency (no more than once per year without cause)
- Auditor confidentiality agreement
- Non-disruptive to Silverile's operations

11.2 Inspection Rights

Silverile will permit Customer to:

(a) Access data processing records (limited to data security, retention, and handling);
(b) Inspect security controls and incident logs (subject to Employee privacy);
(c) Observe disaster recovery testing (annually, upon request);
(d) Review sub-processor security certifications.

Inspection must be:

(a) Scheduled with 10 business days' notice;
(b) Conducted during business hours;
(c) Non-disruptive to Silverile's operations;
(d) At Customer's expense if conducted more than once annually.

11.3 Cooperation with Regulators

Silverile will cooperate with data protection authorities and regulators, including:

(a) Responding to data protection inquiries and requests;
(b) Providing evidence of compliance with Applicable Data Protection Laws;
(c) Assisting with investigations and audits;
(d) Implementing remedial actions directed by regulators.

Customer will reimburse Silverile for costs incurred in responding to government investigations if the Customer is determined to be at fault.

12. TERM & TERMINATION

12.1 Term

This DPA remains in effect for the duration of the Master Agreement and continues after termination for purposes of data deletion and retention.

12.2 Termination of Data Processing

Upon termination of this DPA:

(a) Silverile ceases processing personal data for the Services;
(b) Silverile returns or deletes personal data per Section 10;
(c) Silverile's obligations under this DPA survive for the purpose of deletion, audit, and regulatory cooperation.

12.3 Survival

The following sections survive termination:

(a) Section 7 (Security) – for 1 year post-termination;
(b) Section 8 (Breach Notification) – for 3 years;
(c) Section 11 (Audit & Inspection) – for 3 years.

13. CONTACT INFORMATION

Silverile Inc.
1941 W Blaylock Dr
Phoenix, AZ 85085
USA

Data Protection Officer (GDPR):
Email: dpo@silverile.com

Grievance Officer (DPDP Act):
Email: grievance@silverile.com

Privacy & Legal:
Email: legal@silverile.com

Sub-processor Inquiries:
Email: subprocessors@silverile.com

Response Time: 10 business days for routine inquiries; 5 business days for urgent matters.

14. SCHEDULES

Schedule A: Standard Contractual Clauses (SCCs)

[EU Standard Contractual Clauses are incorporated by reference]

Silverile has adopted the Standard Contractual Clauses for processor-to-processor transfers (AWS DPA) and controller-to-processor transfers (this DPA).

SCCs are available at:

Schedule B: Data Subject Rights Request Form

[Template for Data Subject access/deletion requests]

Data Subjects may submit rights requests via:

(a) Email: legal@silverile.com
(b) Online form: silverile.com/legal/data-rights-request
(c) Mail: Silverile Inc., Privacy Team, 1941 W Blaylock Dr, Phoenix, AZ 85085, USA

Required Information:

Data Subject name
Email address
Description of request (access, deletion, correction, portability)
Verification of identity

Schedule C: Sub-processor List

[Current as of January 2, 2026]

See Section 5.1 for the complete, updated sub-processor list.

A live sub-processor list is maintained at: silverile.com/

By signing or accepting the Master Agreement, Customer acknowledges and agrees to this DPA.

Last Updated: January 2, 2026